What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem
Xuehui Hu Nishanth Sastry King’s College London King’s College London, UK London, UK University of Surrey, UK [email protected] [email protected] ABSTRACT KEYWORDS When users browse to a so-called “First Party” website, other third Container Identity, Third Party Cookie parties are able to place cookies on the users’ browsers. Although ACM Reference Format: this practice can enable some important use cases, in practice, these Xuehui Hu and Nishanth Sastry. 2020. What a Tangled Web We Weave: third party cookies also allow trackers to identify that a user has Understanding the Interconnectedness of the Third Party Cookie Ecosys- visited two or more first parties which both share the second party. tem. In 12th ACM Conference on Web Science (WebSci ’20), July 6–10,2020, This simple feature been used to bootstrap an extensive tracking Southampton, United Kingdom. ACM, New York, NY, USA, 10 pages. https: ecosystem that can severely compromise user privacy. //doi.org/10.1145/3394231.3397897 In this paper, we develop a metric called “tangle factor” that measures how a set of first party websites may be interconnected 1 INTRODUCTION or tangled with each other based on the common third parties used. It is common knowledge that cookies are placed in a user’s browser Our insight is that the interconnectedness can be calculated as the when they visit a website. The websites that the users visit are chromatic number of a graph where the first party sites are the called first party websites (FPs). Although some of these cookies nodes, and edges are induced based on shared third parties. are placed by FP domains, many are placed by third party affiliates We use this technique to measure the interconnectedness of (TPs) of the first party sites, for reasons such as advertising, orana- the browsing patterns of over 100 users in 25 different countries, lytics. Examples include advertising networks such as adnxs.com, through a Chrome browser plugin which we have deployed. The amazon-adsystem.com and doubleclick.net, analytics platforms users of our plugin consist of a small carefully selected set of 15 such as google-analytics.com, or social media trackers such as test users in UK and China, and 1000+ in-the-wild users, of whom Facebook and Twitter. 124 have shared data with us. We show that different countries Such TPs have proved to be an extremely powerful method for ag- have different levels of interconnectedness, for example China has gregating users’ browser histories – for example, a TP that appears a lower tangle factor than the UK. We also show that when visiting on both https://www.bbc.com, and https://www.nytimes.com the same sets of websites from China, the tangle factor is smaller, is able to infer that a user visited both sites, and therefore can infer due to blocking of major operators like Google and Facebook. that the user might be someone who is interested in news and We show that selectively removing the largest trackers is a very current affairs. An important motivation for such detailed profiling effective way of decreasing the interconnectedness of third party of users is that it can lead to more “targeted” advertisements, which websites. We then consider blocking practices employed by privacy- are much more profitable. For instance, recent research shows that conscious users (such as ad blockers) as well as those enabled by right-leaning hyperpartisan websites in the US use more sophis- default by Chrome and Firefox, and compare their effectiveness ticated and more intensive tracking techniques and are therefore using the tangle factor metric we have defined. Our results help able to command higher prices than left-leaning websites [3]. quantify for the first time the extent to which one ad blocker is As advertisers’ demand for detailed profiles continues to grow, so more effective than others, and how Firefox defaults also greatly does the sophistication of third party tracking technologies. Users help decrease third party tracking compared to Chrome. and many browsers have responded with new technologies to safe- guard user privacy. Indeed, this has led to an “arms race”, with users CCS CONCEPTS installing ad blockers such as AdBlock Plus[14], uBlock Origin[18] • Security and privacy → Web application security; Social net- and Ghostery[9], and certain websites (e.g., memeburn.com, english- work security and privacy. forum.ch) responding with anti ad-blocking technology[31, 37, 46] that refuse to deliver content unless users unblock ad blockers whilst visiting their sites. Permission to make digital or hard copies of all or part of this work for personal or An important addition to the arsenal of technologies for pre- classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation venting tracking of users is the notion of multi-account containers, on the first page. Copyrights for components of this work owned by others than the often referred to simply as “containers”. Pioneered by Firefox [33], author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or containers are a way to separate different sets of cookies from each republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. other. Containers were initially intended for providing “contextual WebSci ’20, July 6–10, 2020, Southampton, United Kingdom identities”1, i.e., to create different user identities depending on © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-7989-2/20/07...$15.00 1https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_ https://doi.org/10.1145/3394231.3397897 with_contextual_identities WebSci ’20, July 6–10, 2020, Southampton, United Kingdom Xuehui Hu and Nishanth Sastry the context of operation. For example, containers allow a user to cleanly separate their work and personal identities on the same browser. Different containers can also be used to login to thesame sites with multiple user ids (for example, users having several email accounts from the same provider can be simultaneously logged in to each of them in different containers). In this sense, containers are similar to other browser extensions such as Multifox [28] or CookieSwap [13] (or the similar Swap my Cookies extension on Chrome [15]). Figure 1: Overlapping first parties which share a third party Firefox containers essentially create a different user profile within tracker must be placed in separate containers, thus the red each container, providing a different database of cookies and stor- and green sites must be separated. The blue website does not 2 age for each . Thus, each container identity is kept separate from share any third parties with either red or green and can be the others, and information such as third party cookies are not placed together with either of them in a container. shared across containers. Firefox suggests [33] that this can be used to also achieve additional privacy, for instance by placing a user’s shopping websites into a separate container from financial websites We calculate the tangle factor by modelling the set of FPs as such as banks and credit cards. nodes of a graph, drawing edges between two FPs when they share Although containers offer a clean way to separate third (and first) one or more TPs. We call this the first party interconnection graph parties from each other by creating different cookie stores, they are (FPIG). Two FPs in the FPIG that share an edge (i.e., share one or only effective if interfering parties are manually placed in separate more TPs) must be therefore placed in separate containers in order containers. Recently, Firefox has come up with add-ons which au- to prevent tracking by the shared TPs. If we assign a colour to each tomatically, or by default, provide protection for one of the most container, and label FPs in the FPIG with the colour of the container prevalent trackers – Facebook. This add-on creates a specialised they are placed in, it is easy to see that the vertex chromatic number container [36] for Facebook. Once installed, it opens Facebook in of the FPIG, i.e., the number of colours needed for nodes or vertices its own container, and the user is logged out of Facebook in other of the FPIG such that neighbouring vertices which share an edge containers, thus automatically preventing Facebook Pixel [35] and are coloured differently, gives the minimum number of containers other tracking by Facebook of users who are logged in. needed to effectively separate that set of FPs. We call this the tangle While a solution for Facebook’s tracking is indeed important as factor of a given set of first party websites. it is widely used on many websites, it is not sufficient, as it does not We apply the Tangle Factor metric to three different sets of offer protection against other third parties. Furthermore, Facebook first party websites. First, we look at the Alexak top- websites for is blocked by the Government in countries such as China, and thus different values of k, and for two different countries, UK and China. 3 is not a major third party in that country [20]. Thus, solutions are Second, we leverage an ongoing user study which developed a needed that work for other important third parties, as well as for Chrome plugin and collected anonymised browsing histories for other country and cultural contexts. a period of one year from a small cohort of users in the same two Generalising from the Facebook example, any third party can be countries (UK and China). Our plugin has since been released in- prevented from learning the (partial) browsing histories of users if the-wild, to help users to visualise their own browsing histories. two first parties sharing the same third party are placed in different We also provide these users an option to manually send us their containers. Fig. 1 illustrates this with an example. The websites histories, and contribute to our study. Our third and final set of in green and red share one or more third parties (e.g., Facebook, websites is two months of browsing histories of 124 users from 25 Google DoubleClick etc.), and therefore need to be placed in sepa- countries who have decided to voluntarily contribute data to our rate containers; otherwise the common third parties (e.g., Google’s user study. DoubleClick) will be able to infer that the same user visited both the We can use the tangle factor to understand the third party ecosys- green and red websites. However, the blue site does not share any tem from different vantage points. For example, we visit thek top- third parties with either the green or red website and therefore can most popular websites from UK and China, and find that for the be placed in the same container with either of those two websites. same set of websites (Global top 2K websites according to Alexa), This paper asks the simple question: if the above policy is applied visiting from the UK results in much higher interconnectivity than uniformly across different sets of websites, how many containers from China. In other words, the most popular sites have a higher will be needed to separate different first party websites that share tangle factor from UK locations, i.e., it requires many more separate one or more third parties? This number provides us with a way containers to prevent third parties from tracking browsing of top-k to characterise and quantify the interconnectedness of the third websites in the UK, than in China. party ecosystem for a given set of first party websites. We term this A similar result carries over into actual browsing histories of as the Third Party Tangle Factor, or simply the Tangle Factor of real users in both countries, which are based on country-specific that set of websites. The higher the Tangle Factor, the more the websites rather than synthetic “top-k” websites: browsing histories interconnectedness of third party cookie ecosystem. of users in China have a lower tangle factor, i.e., are more easily separated, and with fewer containers, than browsing histories in
2In practice, a userContextID column is added to the cookie database, and only 3This study has been approved by King’s College London Research Ethics Committee cookies matching the context ID of the container are sent to the website. (Approval no. MRS-1718-6539). What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem WebSci ’20, July 6–10, 2020, Southampton, United Kingdom
UK. We then expand to investigate the browsing histories of our x.doubleclick.net and y.doubleclick.net tracking bbc.com, in-the-wild users across 25 different countries, and show that the we record them both as doubleclick.net and only count them interconnectedness of websites has only a low (-0.0726) correlation once. Thus, we refer to third party services based on the 2nd -level with the actual numbers of third parties. Rather, it is the ubiquity of domain names [5]. large third party trackers (e.g., Facebook and Google DoubleClick) Next, we may have different third party domains that all belong which are present on a large proportion of websites, that increases to the same parent entity. For example, DoubleClick and Google the tangle factors. Analytics are both owned by Google. Following [23], We detect Consequently, we explore a “what if” scenario where the most such cases by tracing the Authoritative DNS (ADNS) servers for common third parties simply did not exist, or were prevented from the 2nd -level domain names of TP entities, and merging TPs that operating (e.g., through ad blockers). We show that deleting the share the same ADNS server. most common third party trackers, which corresponds to deleting Finally, some third parties use a cookie synchronisation mecha- the most common sources of edge creation in the FPIG, is a highly nism to establish a “data sharing tunnel” between different third- effective approach, and the tangle factor drops very quickly withthe party vendors. Following guidelines in [39], we detect cookie syn- removal of the most common trackers. We then use this approach chronisation by correlating shared unique userIDs embedded in to measure the effectiveness of several ad blockers, and show that cookies stored by different third parties. uBlock origin is more effective than Adblocker Plus, Ghostery and Ad Guard. We also show that a) that the largest containers of 2.3 First Party Interconnectivity Graphs (FPIG) non-interfering first parties contain regional and computer-related websites, and b) using Adblocker Plus and uBlock origin results in After merging third parties using the techniques mentioned above, UK interconnectivity dropping to levels similar to that of China. we then consider all the third parties of a given set of first parties. This lower interconnectivity is quantified in terms of the increase We then model this as a graph, where the nodes are the first party in the sizes of the largest set of non-interfering first parties (i.e., the websites, and edges are drawn between two nodes if the corre- size of the largest container when separating different first parties). sponding first party websites share a third party (after third parties The rest of this paper is organised as follows: §2 defines the are merged using the disambiguations discussed above). tangle factor, and provides details about our datasets. §3 quantifies the tangle factor by country, in terms of the numbers of containers 2.4 Calculating Tangle Factor needed to separate first party websites that share a third party; The tangle factor of a given set of websites, i.e., a given FPIG, is §4 uses the tangle factor to assess different methods to restrict calculated by computing an assignment of FPs to different contain- the numbers of containers needed; §5 discusses related work and ers, whilst respecting the restriction that two FPs that share a TP context, and §6 concludes. (i.e., two nodes connected by an edge in the FPIG) must be placed in different containers. 2 DATA COLLECTION & METHODOLOGY 2.1 Browser plugin for data collection The backbone of our data collection methodology is a plugin called “ThunderBeam”, which we have created for Google Chrome, by extending a Firefox extension called Lightbeam [32]4. Thunderbeam not only allows users to log their browsing history, but it also provides support to track third-party networks across sites. The original Lightbeam for Firefox was based on an add-on called Collusion developed by Mozilla in 2012 [43]. Branching from Collusion, there is an add-on called Disconnect [11] for Google Chrome browsers. However, as opposed to Lightbeam, Disconnect can only log trackers in a uncontextualized manner (i.e., by looking Figure 2: Restrictions in this first-party (FP) model example: at websites individually). Thus, Disconnect does not support track- ○1 FP1 cannot be in the same container with FP3; ing third parties across sites since there is no direct mechanism to ○2 FP2 cannot place with FP4 and FP6; capture and match the correspondence of first-party and third-party ○3 FP6 cannot be with FP5. requests in Chrome. Our plugin develops several adaptations to make this work on Chrome, as detailed in a separate paper [20]. Effectively, this corresponds to a vertex graph colouring problem, 2.2 Third party disambiguation where nodes with the same colour can be placed within the same In our analysis, we take the data provided by the Thunderbeam container, and nodes which share an edge must be assigned different plugin, and identify different third parties. This requires some sub- colours. Fig. 2 illustrates how a particular set of edges between tle disambiguation. First, we may have different domain names different first parties would give rise to a container assignment. from the same third party entity: For instance, if there are both The minimum number of colours for the vertex colouring problem, i.e., the minimum number of containers needed in the FPIG, is the 4Lightbeam is no longer a supported Firefox extension after Oct 2019 tangle factor of a given FPIG. WebSci ’20, July 6–10, 2020, Southampton, United Kingdom Xuehui Hu and Nishanth Sastry
Table 1: Year-long (Jan 2018 to Jan 2019) data collection from Table 2: Data collected from extension installers (ver.2) from 15 users in UK and China Dec. 2019 to Feb. 2020: 124 users across 25 countries in total., Countries with fewer than 5 users are shown in gray. User Group 1st party sites 3rd party cookies UK Users 8416 113,003 Continent Country Num (Users) CN Users 6144 74,313 Tunisia 5 Africa (8) Total 14,827 187,316 Egypt3 China 8 India 5 Asia (20) Israel3 Singapore2 Thailand2 Germany 13 United Kingdom 10 2.5 FPIG datasets France 10 We apply the above methodology to obtain tangle factors for several Netherlands 9 different sets of first parties. First, we use an automated browsing Denmark 8 Spain 6 system, built on top of Selenium [12] running in non-headless mode, Europe (70) and collect the cookies set by the Alexa5 top-k most popular web- Italy 5 sites. Specifically, we programmatically visit the country-specific Belgium 5 Alexa top500 sites in UK and China, and also the global top2k Switzerland3 websites from UK and China locations, in order to obtain a compar- Luxembourg2 ison between the number of containers required in both countries. Norway1 The degree of demand for containers is taken as an indication of Sweden1 United States of America 8 the degree of third-party risks in different countries. Further, we North America (15) visit the UK top500 websites after installing different ad blockers Canada 5 (uBlock Origin, Adblock Plus, Ghostery and Adguard Adblocker) Mexico2 on two different browsers (Chrome and Firefox), to understand the Oceania (3) Austria3 Chile3 privacy protection provided by different ad blockers. South America (5) To complement this dataset, we also collect data from real users Brazil2 who consented to support our work by providing anonymised browser histories6. Our users come in two cohorts. First, we have a small cohort of 9 users in the UK and 6 users in China, whose browsing activities were collected for a year-long period from Jan 2018–Jan 2019. Altogether, these users have visited around 15k first- party websites across one year, involving over 187k third-party domains (Table 1). We have also published the official version of our add-on in Chrome Web Store as “Thunderbeam-Lightbeam for Chrome”, and have seen over 1000+ installs of our plugin by Feb. 7th, 2020. This plugin offers users the option of submitting their data to our study. Through this mechanism, we have collected two-months of data from 124 users, who collectively provide us a picture of the third party ecosystem from 25 countries, as detailed in Table 2).
3 CONTAINER DEMAND BY COUNTRY For any two sets of websites, the set with the lower tangle factor (i.e., the number of separate containers needed to ensure that a common third party does not learn about two first parties visited) is Alexa top2k the one with the better privacy, and with less powerful third party Figure 3: Tangle factors for (global) websites tracking practices. visited from UK and China vantage points. We begin by exploring the tangle factor of popular sets of web- sites from different countries. We then go on to show that tangle factor depends to a large extent on the country rather than actual numbers of third parties involved. What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem WebSci ’20, July 6–10, 2020, Southampton, United Kingdom
8 UK 7 CN 6
5
4
3
2 AVG(FP)perContainer 1
0 6 8 10 12 14 AVG(TP) per FP
Figure 4: Linear correlation between TPs/FP and (a) Regression between container numbers and the weekly FPs by each user with 95% confidence interval.r ( 2 = 0.9688; r 2 = 0.9162) FPs/Container. Each point represents the average TPs/FP UK CN and FPs/containerfor one of the different ranked bins depicted in Figure 3. The Pearson correlation coefficient �0 between TPs/FP and FPs/Container in China is -0.681 and �0 UK is -0.728 �0
�0
3.1 Tangle factors of Alexa.com topsites visited 0 from China and the UK
�������� ��0 We begin by binning the Alexa top 2K websites (global ranks) into sets of 100 websites (i.e., the first bin has websites ranked 1–100, the ��0 second bin has websites ranked 101–200, and so on). We then ask ��0 �� whether users from different countries experience different levels �� of tracking, by accessing these websites from vantage points in the ��0 UK and China, using our automated browsing system (cf. Sec. 2.5). 0 �0 �00 ��0 �00 ��0 �00 ��0 Fig. 3 shows the tangle factors of these sites for different rank bins. ������������ We find that overall, even when visiting the same sets of websites, (b) Residuals users visiting from China are “less tangled” than users visiting from UK, i.e., need fewer containers. This is especially true for the most popular websites (ranks < 500). This is possibly because the Great Figure 5: Relation between numbers of first parties visited, Firewall of China blocks websites such as Facebook and Google, and tangle factors (numbers of separate containers required) which are among of the most prevalent of trackers of Western for weekly browsing histories of users from UK and China. countries [20]. The scatter plot of Figure 4 shows that indeed, the numbers of third parties per website is lower when visiting the are unlikely to solely consist of the global top-k websites. Instead, Alexa global top2k websites from China than from the UK (blue country specific websites are likely to be hugely important. points are largely to the left of red points with one exception), and We therefore next turn to understand the numbers of containers that there is a strong (anti-)correlation between number of third required for real users, by focusing on one year of browsing histories parties loaded, and the number of containers needed for the trends of our panel of users (Table 1). Figure 5(a) shows the number of among both countries. containers needed (i.e., tangle factors) by individual users, as a function of how many first party websites they visit in each week. 3.2 Tangle factors of real users There is a clear correlation, with users who visit more FPs having The above result provides an indication of how blocking, especially higher tangle factors. However, in general, the Chinese users require at a countrywide level, can have an unintended positive side ef- fewer containers (have lower tangle factors) than UK users. fect of decreasing the level of tracking by global giants for users We can also compute a linear regression, with coefficients as: from those countries. However, individual users’ browsing histories nUKcontainer = mUK × nf irstparty + cUK
nCNcontainer = mCN × nf irstparty + cCN 5https://alexa.com 6This research is conducted under our university’s Ethics Approval no. MRS-1718-6539. where mUK ,mCN represents the slope of the UK and CN growth and the data protection review by Chrome Web Store lines respectively and cUK ,cCN are constant terms. Figure 5(a) WebSci ’20, July 6–10, 2020, Southampton, United Kingdom Xuehui Hu and Nishanth Sastry
4 RESTRICTING CONTAINER DEMAND The results of the previous section lead us to consider ways to decrease the interconnectedness of the third party ecosystem in a given setting. We consider three options: First, we consider how effective are the default “content blocking” protections of different browsers, comparing Firefox and Chrome (§4.1). Then we consider what happens if browsers like Firefox generalised from the current special purpose “Facebook” containers, and instead just removed or blocked the top most prevalent third parties (§4.2). After this, we consider user interventions, such as installing ad blockers, which removes certain third parties. Each ad blocker removes different third parties based on their lists, and we use the tangle factor as a metric to understand which ones are the most effective (§4.3). Finally, in §4.4 we consider how well different categories of websites are able to co-exist with each other in the same container, without Figure 6: Average number of FPs stored in each container information leakage. from Jan. 2018 to Jan. 2019 after ADNS disambiguation, based on weekly browsing records of UK and China partici- 4.1 Chrome vs. Firefox pants. To begin with, we assess the default levels of privacy protection provided by two popular browsers - Firefox and Chrome. In partic- ular, many casual or non privacy-conscious users may not install shows the trends, and a good fit with high r 2 values. We also and deploy extensions such as ad blockers, which we consider later. plot residuals in Figure 5(b), to check whether values are scat- However, even without installing extensions, there is a possibil- tered around the y axis randomly, demonstrating that the linear ity of using mechanisms such as “Do Not Track” in most modern regression model is appropriate for both UK and China datasets. browsers, including Chrome7 and Firefox8, although it is known The regression lines of Figure 5(a) clearly show that the slope that Do Not Track is not very effective in practice7 [ , 19]. Com- of the regression is lower in China than in the UK. Thus, even pared with Chrome, Firefox provides users with a collection of though heavier browsing leads to more tracking in both countries, additional privacy protection features known as content blocking9. the growth in tracking is slower in China than in the UK. Users could turn on strict content blocking in Firefox even without installing extensions, and prevent more harmful practices. 3.3 Container shareability in 25 countries To test the effectiveness of these practices, we visit the Alexa top500 websites in an automated fashion, using Chrome and Firefox The lower tangle factor in China means that Chinese users need with the default settings. We then check the tangle factors, i.e., the fewer containers to keep their browsing habits private from third number of containers required to separate third parties after the parties. Figure 6 confirms this, showing that across the duration browsers have done their blocking (in the case of Firefox with of the entire year of our study, Chinese users can pack more first content blocking), and taking into account the decrease in tracking parties into each container, without compromising privacy. due to the “Do Not Track” option. We expand on the above observation, and turn to the in-the-wild users of our Thunderbeam plugin (cf. Table 2). We ask how many first parties can be packed into containers (on average) for usersin Table 3: Number of containers required on Chrome and Fire- different countries around the world. fox, when employing no extensions, but enabling privacy Figure 7 shows the results. In some countries such as China and controls available by default. Singapore (Figure 7(a)), it is possible to pack many more first par- ties into each container, whereas in others, the first parties tend Num (Containers) Chrome Firefox to have common third parties, and therefore need to be placed in Original 408 410 separate containers. We simultaneously plot the average numbers Do Not Track 405 409 of third parties used by each first party, and the figures show vi- Strict Content Block × 339 sually that there is not necessarily a correlation. Note that this is also the case even when we discount countries with small num- bers of users (countries with fewer than five users are grayed out). Table 3 shows the results. As expected, “Do Not Track” barely Figure 7(b) confirms the above visual observation with a scatter has any effect at all. It is merely a request to websites not totrack, plot and corresponding Pearson correlation calculation, that shows and if a site chooses not to respect it, there is no effect whatsoever there is no strong correlations between higher numbers of third on tracking. However, “content blocking” in Firefox decreases the parties used and the numbers of first parties that can be packed into 7 a container. Rather, it is the interconnectedness of the first parties, Turn "Do Not Track" on or off in Chrome: https://support.google.com/chrome/answer/ 2790761?co=GENIE.Platform%3DDesktop&hl=en i.e., the numbers of third parties shared, that determines whether 8https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature or not two first parties can be placed into the same container. 9Content blocking in Firefox: https://support.mozilla.org/en-US/kb/content-blocking What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem WebSci ’20, July 6–10, 2020, Southampton, United Kingdom
2.0 TP/FP FPs/Container0 (right) 30 1.8 1.8 1.8
25 1.6 1.6 1.6
) per FP)per 1.4 1.4 20 1.4 1.2 1.2 1.2 15 1.0 1.0 1.0 10 0.8 AVG(FP)Container per 0.8 0.8 AVG(Containers 5 0.6 0.6 0.6 0 AVG(FP)Container per 0.4 0.4 Italy India Chile Israel Brazil Spain China Egypt
France 0.2 0.2 States Mexico Austria Tunisia Norway Canada Sweden Belgium Thailand Denmark Germany Singapore
Switzerland 0.0 0.0 Netherlands Luxembourg
United 0 10 20 30 0 10 20 30
United Kingdom United AVG(TP) per FP AVG(TP) per FP
(a) Numbers of FPs in each container, and the corresponding numbers of in 25 (b) Scatter plot of number of TPs per FP and number of FPs per container; in red countries (countries with fewer than 5 users grayed out) for users in all 25 countries (Pearson Correlation Coefficient -0.301), and in blue for users in 13 countries with more than 5 users (correlation -0.360)
Figure 7: Comparison between the average number of TPs per FP and container per FP in countries. number of containers required by about 17%, from 410 to 339 con- 4.3 Assessment of ad blockers tainers, because it executes additional blocking on the browser side. Next, we use the same technique as above to determine the effec- However, neither of these options is as effective as employing an tiveness of ad blockers. We visit the Alexa top 500 websites from ad blocker such as uBlock origin (which, as we will show in §4.3, a UK location, using Selenium in non-headless mode. We perform results in a 40% reduction in number of containers needed). this experiment by installing four different popular ad blockers in turn: uBlock Origin, Adblock Plus, Ghostery and Adguard Ad- blocker. The selection of these four popular ad blockers is based on the recommendations in [4]. In Figure 10, we explore the performance of these ad blockers and show the percentage decrease in numbers of third parties as well 4.2 Effectiveness of removing top third parties as the tangle factor or numbers of containers required, when those Next step up in terms of user effort, Firefox has an interesting ad blockers are deployed. This shows that uBlock origin performs “suggested” add on that isolates Facebook logins from other websites. the best, with nearly 60% reduction in raw numbers of third parties, As Facebook is one of the most commonly used trackers, this is and over 40% reduction in the number of containers required. highly effective in decreasing overall levels of tracking. In this Both uBlock Origin and Adblocker Plus use Easy list for the subsection, we ask, as a “what-if” scenario, what would happen if list of third parties to filter. However, different default privacy all the top-k trackers were removed or blocked by default. settings could lead to different degrees of protection. In addition This is visualised in Figure 8, which shows the First Party In- to Easy List, uBlock applies additional filters from Easy Privacy, terconnection Graphs (FPIG) of the Alexa Global top 500 websites, Malware domain list and Peter Lowe’s tracker list[30]. These are when these websites are visited from UK and China respectively enabled by default; thus, even if the user installs uBlock Origin (similar to the setup of Figure. 3). The graphs are drawn using a without any custom settings, protection is provided by default. In force-directed layout algorithm, with lays out the most connected contrast, Adblocker Plus takes a more moderate approach, and also nodes as the central core, and largely isolated nodes as a ring around allows some acceptable ads [2] (e.g., ads that comply with “Do Not the edges. The figure shows how even removing only the top20 Track” or those generated from the same origin as the first-party third parties can drastically decrease the tangledness of the FPIGs. site), which results in the slight increase in the number of required This informal but visually clear result is formalised in Figure 9, containers. Adguard Adblocker’s poor performance in stopping which shows how the tangle factor progressively decreases when third parties requests seems to be related to the fact that it hides ad visiting the global Alexa top 500 websites from UK and China, but elements after loading the entire site, rather than pre-blocking ad with the top third parties removed. Initially, UK users need nearly elements[1]. 408 containers for the 500 websites, whereas CN users need 227. However, after removing just the top 50 third parties, the number of containers required drops to 9 and 8 respectively. Thus, the 4.4 Interconnectedness across web categories third party ecosystem is highly interconnected mainly because of the Finally, we ask how different categories of websites are able to predominance of a few large third parties. Protection against these co-exist with each other, given the above kinds of interventions. large players can greatly decrease the extent of third party tracking We use Alexa’s categorisation of the top 500 websites into 16 global in today’s web ecosystem. categories, and examine the distribution of these categories in the WebSci ’20, July 6–10, 2020, Southampton, United Kingdom Xuehui Hu and Nishanth Sastry
(a) Initial layout of top500 (CN) (b) Layout after removal (CN) (c) Initial layout of top500 (UK) (d) Layout after removal (UK)
Figure 8: Force-directed layout of the FPIG of the Alexa Global Top 500 websites visited from a Chinese Location ((a) and (b)), and visited from the UK ((c) and (d)). The inner core is highly connected, and the outer ring is largely isolated nodes which can share a container. Nodes which can share a container are given the same colour. (b) and (d) show how the initial layouts in (a) and (c) for CN and UK respectively improve with many more isolated nodes after the top 20 third parties are removed.
largest of the containers that may be formed after separating web- sites that share common third parties. Fig. 11 shows the results. The first two columns show the cate- gory distribution of the contents of the largest container, when first parties from the Alexa top websites of China and UK are separated into containers based on shared third parties. The remaining four columns show the category distribution of the largest container for the the UK top 500 websites, when different ad blockers are applied in order from the least effective (Adguard) to the most effective (uBlock origin)10. The CN500 column has a larger number of sites (94) than UK 500 (61), as tracking is less evolved in China. However, as more intrusive ad block extensions are introduced, the size of the largest container increases even for the UK500, and with both Ad block Plus (ABP) and uBlock origin, the largest container for UK is comparable to or larger than the largest container for China. Figure 9: Decrease in tangle factor as the top trackers are re- Looking across the categories, we find that the largest propor- moved or blocked. After removing about 50 top third parties, tion of sites are those related to computers in both China and UK. UK and China respectively require only 9 and 8 containers, Regional websites in the UK also track less and are therefore more as opposed to initial numbers of 408 and 227 containers. easily incorporated into this large container.
5 RELATED WORK Vyas et al. [44] propose to extend the same origin policy by adding a so-called origin attributes field, and separating cookies from dif- ferent origin attributes. Our mechanism detects collision between two first parties automatically if third parties are shared, andcan be used to create different origin attributes automatically. Thus, our method can feed into the origin attributes mechanism. Origin attributes are used for contextual IDs in Mozilla multi- account containers[34]. Mozilla also introduced a special-purpose container targeted at the control of Facebook trackers [36]. Our work is inspired by these efforts, and generalises. Indeed, we show that removing the top 10-20 containers can have a hugely beneficial effect. Related works such as [22, 29, 41] have been looking at better Figure 10: Percentage of decline in the number of containers ways to detect online trackers, including anonymizing the refer- and third parties, when users apply different ad blockers to rer field in HTTP requests25 [ ]. Although our work does not di- visit Alexa top500 websites from a UK location. (Larger de- rectly aim at blocking trackers, or attacking them in other ways cline is better). (e.g.,[21]), identification of third parties is a paramount first step
10We do not apply Ad blockers to the CN 500 websites, as the ad blocker lists are not adapted for Chinese websites. What a Tangled Web We Weave: Understanding the Interconnectedness of the Third Party Cookie Ecosystem WebSci ’20, July 6–10, 2020, Southampton, United Kingdom
two cohorts of users: one, a carefully selected panel of 15 users, 9 from the UK and 6 from China, the other a set of 124 users from 25 different countries in the world who have chosen to donate data to our research project. We believe we are one of the first to use data from the browsing histories of real users. Note that we do not collect demographic information about our users due to privacy considerations. We introduced a novel metric, which we call the “tangle factor”, to measure the interconnectedness of the third party ecosystem. The tangle factor is based on the insight that if we were to create a “first party interconnection graph” by drawing edges between first party websites which share a third party, the websites on either side of edge would share one or more third parties and therefore need to be placed in separate containers to prevent tracking. Thus, the minimum number of colours needed to colour this graph, i.e., its vertex chromatic number, also represents the number of containers needed. Using this metric, we showed that when visiting the same Figure 11: Proportion of the first-party websites from differ- websites, users from Chinese locations are less tracked than users ent Alexa web categories in the largest container from UK locations, likely due to automatic blocking of major track- ers like Google and Facebook from the Great Firewall of China. We also showed that this result carries over into the actual browsing and a key concern for us. For this, we have referred to and used histories of our panel of users, which are based on country-specific strategies, heuristics or third party lists from a number of efforts websites rather than global most popular sites considered in the like ChromeDanger [6], Ghostery [12], Brave [16], AdReveal [27], synthetic evaluation. Adblock [38], Plus [17], XRay [24], TrackAdvisor [25], and Discon- We then used the tangle factor metric to assess the effectiveness nect [8]. Other works focus on advertising [25, 27] or on service of different methods of blocking trackers. We showed that blocking media [42] alone as well as they do not consider country-specific the top 20 trackers alone is sufficient to bring down the intercon- trackers. Previous works like [23, 45], also mentioned the need for nectivity greatly, and only 9 containers, instead of 400 containers, disambiguation of third parties based on authoritative DNS servers, are needed in the UK to separate out Alexa top 500 first parties which we use. that share a third party. We also used the tangle factor metric to An overview of the evolution of the third-party tracking ecosys- compare ad blockers and showed that uBlock origin works better tem is given in [29]. Authors show in 2012 that web measurements than others such as ghostery, Ad blocker plus and ad guard. We are an effective way to understand trackers. Later in 2015, authors also showed that the default protection offered by Firefox is bet- in [26] provide an overview of the usage of cookies over 1 million ter than that offered by Google Chrome. These measurements are sites. In another work from 2016, authors look at an advanced form intended as proof-of-concept and our method can be expanded to of tracking that uses a cookie hijacking attack [40]. The setting compare other content blocking and protections apart from the proposed is adversarial and can therefore be considered less real- ones we consider in this paper. These results provide quantitative istic than our study. More importantly, authors focus largely on evidence that the third party ecosystem is highly interconnected DoubleClick, Google, and Amazon that hardly operate in China. mainly because of a few large players, and protection against these Our work looks at trackers today, but follows the design princi- can greatly decrease the extent and impact of tracking on the web. ples proposed in [29]. The size of our measurement is not as large as in [26]. However, we provide special attention to the most popular REFERENCES sites in different countries. We further consider the browsing habits [1] Adblock_Plus. 2018. Allowing acceptable ads in Adblock Plus. Available at of a user group that volunteer to our study. https://adblockplus.org/acceptable-ads. In terms of the ad-block performance evaluation, [10] uses in- [2] AdGuard. 2019. FAQ-What is the difference between AdGuard filtering meth- ods? Available at https://kb.adguard.com/en/android/faq#what-is-the-difference- spectors to evaluate the difference of blocking/capturing results between-adguard-filtering-methods. caused by different strategies of PETs or browsers. For example, [3] Pushkal Agarwal, Sagar Joglekar, Panagiotis Papadapoulos, Nishanth Sastry, Ghostery and Disconnect only capture requests but do not modify and Nicolas Kourtellis. 2020. Stop tracking me Bro! Differential Tracking of User Demographics on Hyper-Partisan Websites. In Proceedings of the The Web ad attributions, while uBlock Origin uses filters to change the attri- Conference (WWW 2020) (WWW ’20). International World Wide Web Conferences butions of ad scripts to block the embedded advertisements. Our Steering Committee, Taipei, Taiwan, 10. paper examines the performance of ad-blockers on the basis of their [4] Mshabab Alrizah, Sencun Zhu, Xinyu Xing, and Gang Wang. 2019. Errors, Misunderstandings, and Attacks: Analyzing the Crowdsourcing Process of Ad- ability to restrict interconnections between first party websites. blocking Systems. In Proceedings of the Internet Measurement Conference. ACM, 230–244. [5] Muhammad Ahmad Bashir and Christo Wilson. 2018. Diffusion of user tracking 6 CONCLUSION data in the online advertising ecosystem. Proceedings on Privacy Enhancing In this paper, we considered the interconnectedness of the third Technologies 2018, 4 (2018), 85–103. [6] Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, and Yuan Tian. 2014. party ecosystem, using vantage points from the UK and China to Analyzing the dangers posed by Chrome extensions. In 2014 IEEE Conference on visit Alexa top 500 websites, and relying on real browsing histories Communications and Network Security. IEEE, 184–192. WebSci ’20, July 6–10, 2020, Southampton, United Kingdom Xuehui Hu and Nishanth Sastry
[7] Frederik Zuiderveen Borgesius. 2013. Behavioral targeting: A European legal In Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. ACM, 12. perspective. IEEE security & privacy 11, 1 (2013), 82–85. [28] Dave Martorana. 2006. MultiFirefox. Available at https://davemartorana.com/ [8] Willem Boumans and Ir Erik Poll. 2017. Web Tracking And Current Countermea- multifirefox/ (last accessed on 28 Feb 2020). sures. (2017). [29] Jonathan R Mayer and John C Mitchell. 2012. Third-party web tracking: Policy [9] Cliqz. 2017. Ghostery. https://github.com/ghostery. and technology. In 2012 IEEE symposium on security and privacy. IEEE, 413–427. [10] Amit Datta, Jianan Lu, and Michael Carl Tschantz. 2018. The Effectiveness [30] Johan Mazel, Richard Garnier, and Kensuke Fukuda. 2019. A comparison of web of Privacy Enhancing Technologies against Fingerprinting. arXiv preprint privacy protection techniques. Computer Communications 144 (2019), 162–174. arXiv:1812.03920 (2018). [31] Daniele Moro, Filippo Benati, Michele Mangili, and Antonio Capone. 2018. Catch- [11] Disconnect. 2013. Take back your privacy. Available at https://disconnect.me/. ing free-riders: in-network adblock detection with machine learning techniques. [12] Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site In 2018 IEEE 23rd International Workshop on Computer Aided Modeling and Design measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on of Communication Links and Networks (CAMAD). IEEE, 1–6. computer and communications security. ACM, 1388–1401. [32] Mozilla. 2012. Firefox Lightbeam. Available at https://github.com/mozilla/ [13] ExtUp. 2019. CookieSwap. Available at https://addons.mozilla.org/en-GB/firefox/ lightbeam-we. addon/cookieswap-q/ (last accessed on 28 Feb 2020). [33] Mozilla. 2015. Multi-Account Containers. Available at https://support.mozilla. [14] Eyeo_GmbH. 2015. AdBlock Plus. https://github.com/adblockplus. org/en-US/kb/containers#w_what-are-containers (last accessed on 28 Feb 2020). [15] FDev. 2013. Swap my Cookie. Available at https://chrome.google.com/webstore/ [34] Mozilla. 2017. Firefox Multi-Account Containers. Available at detail/swap-my-cookies/dffhipnliikkblkhpjapbecpmoilcama?hl=en (last accessed {https://addons.mozilla.org/en-GB/firefox/addon/multi-account-containers/ on 28 Feb 2020). versions/s}(lastaccessedon28Feb2020). [16] Gertjan Franken, Tom Van Goethem, and Wouter I Joosen. 2019. Exposing Cookie [35] Mozilla. 2018. Facebook Container - Prevent Facebook from tracking you on other Policy Flaws Through an Extensive Evaluation of Browsers and Their Extensions. websites. Available at https://support.mozilla.org/en-US/kb/facebook-container- IEEE Security & Privacy (2019). prevent-facebook-tracking (last accessed on 28 Feb 2020). [17] Arthur Gervais, Alexandros Filios, Vincent Lenders, and Srdjan Capkun. 2017. [36] Mozilla. 2018. Facebook Container Extension: Take control of how you’re be- Quantifying web adblocker privacy. In European Symposium on Research in Com- ing tracked. Available at https://blog.mozilla.org/firefox/facebook-container- puter Security. Springer, 21–42. extension/ (last accessed on 28 Feb 2020). [18] Raymond Hill. 2016. uBlock Origin. https://github.com/gorhill/uBlock. [37] Muhammad Haris Mughees, Zhiyun Qian, and Zubair Shafiq. 2017. Detecting [19] Chris Hoffman. 2019. RIP “Do Not Track,” the Privacy Standard Everyone anti ad-blockers in the wild. Proceedings on Privacy Enhancing Technologies 2017, Ignored. Available at https://www.howtogeek.com/fyi/rip-do-not-track-the- 3 (2017), 130–146. privacy-standard-everyone-ignored/. [38] Panagiotis Papadopoulos. [n.d.]. Analyzing the Impact of DigitalAdvertising on [20] Xuehui Hu, Guillermo Suarez-Tangil, and Nishanth Sastry. 2020. Multi-country User Privacy. Available at http://users.ics.forth.gr/~panpap/thesis/panpap_phd_ Study of Third Party Trackers from Real Browser Histories. (Accepted). In Pro- dissertation.pdf. ceedings of the 5th IEEE European Symposium on Security and Privacy (Euro S&P). [39] Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos Markatos. 2019. [21] I Luk Kim, Weihang Wang, Yonghwi Kwon, Yunhui Zheng, Yousra Aafer, Weijie Cookie synchronization: Everything you always wanted to know but were afraid Meng, and Xiangyu Zhang. 2018. Adbudgetkiller: Online advertising budget to ask. In The World Wide Web Conference. ACM, 1432–1442. draining attack. In Proceedings of the 2018 World Wide Web Conference. Interna- [40] Suphannee Sivakorn, Iasonas Polakis, and Angelos D Keromytis. 2016. The tional World Wide Web Conferences Steering Committee, 297–307. cracked cookie jar: HTTP cookie hijacking and the exposure of private informa- [22] Balachander Krishnamurthy, Konstantin Naryshkin, and Craig Wills. 2011. Pri- tion. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 724–742. vacy leakage vs. protection measures: the growing disconnect. In Proceedings of [41] Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay the Web, Vol. 2. 1–10. Hoofnagle. 2010. Flash cookies and privacy. In 2010 AAAI Spring Symposium [23] Balachander Krishnamurthy and Craig Wills. 2009. Privacy diffusion on the web: Series. a longitudinal perspective. In Proceedings of the 18th international conference on [42] Jannick Kirk Sørensen and Hilde Van den Bulck. 2018. Public service media World wide web. ACM, 541–550. online, advertising and the third-party user data business: A trade versus trust [24] Mathias Lécuyer, Guillaume Ducoffe, Francis Lan, Andrei Papancea, Theofilos dilemma? Convergence (2018), 1354856518790203. Petsios, Riley Spahn, Augustin Chaintreau, and Roxana Geambasu. 2014. Xray: [43] Toolness. 2012. Collusion. Available at http://www.toolness.com/wp/2011/07/ Enhancing the web’s transparency with differential correlation. In 23rd {USENIX} collusion/. Security Symposium ({USENIX} Security 14). 49–64. [44] Tanvi Vyas, Andrea Marchesini, and Christoph Kerschbaumer. 2017. Extending [25] Tai-Ching Li, Huy Hang, Michalis Faloutsos, and Petros Efstathopoulos. 2015. the Same Origin Policy with Origin Attributes. Trackadvisor: Taking back browsing privacy from third-party trackers. In In- [45] Craig E Wills and Doruk C Uzunoglu. 2016. What ad blockers are (and are ternational Conference on Passive and Active Network Measurement. Springer, not) doing. In 2016 Fourth IEEE Workshop on Hot Topics in Web Systems and 277–289. Technologies (HotWeb). IEEE, 72–77. [26] Timothy Libert. 2015. Exposing the hidden web: An analysis of third-party HTTP [46] Shitong Zhu, Xunchao Hu, Zhiyun Qian, Zubair Shafiq, and Heng Yin. 2018. requests on 1 million websites. arXiv preprint arXiv:1511.00619 (2015). Measuring and disrupting anti-adblockers using differential execution analysis. [27] Bin Liu, Anmol Sheth, Udi Weinsberg, Jaideep Chandrashekar, and Ramesh Govin- In The Network and Distributed System Security Symposium (NDSS). dan. 2013. AdReveal: improving transparency into online targeted advertising.